Tuesday, April 27, 2010

As near as I can tell, way too many networking vendors handle autonegotation incorrectly for 100M ethernet.

I mean, it could be worse -- things could fall back to 10M.

If a fastethernet port is set to autonegotiate, when it sees link, it tries to - as you might guess - negotiate the speed and duplex. If the device at the far side doesn't negotiate in a compatible fashion or at all, a port set to autonegotiate will fall back to half duplex.

If this happens, then at best you end up with both sides at half duplex (annoying but not catastophic) or with a duplex mismatch. A duplex mismatch can totally hose your performance.

Honestly, when dealing with 100M, I'd just as soon hard-set everything to full duplex and be done with it.

Tuesday, April 20, 2010

Password recovery on the cisco 2900 series is a little bit more involved than password recovery on a 2800 -- you need physical access to the switch to push a button. Remote control power outlets won't help you, here. Instead of typing the "break" sequence at boot time, you need to push the "MODE" button.

So, yeah, connect up your console, power cycle the router (there's no power switch, so you have to unplug/replug it), and the press and hold the "MODE" button as you power it up.

The top LED above the MODE button is labelled "SYST". This LED will begin to flash green during the POST, and - if you are holding down the "MODE" button -- will eventually turn solid green. At that point, you can release the "MODE" button.

If you do a directory listing of the flash drive, you should see a file named "config.text", which contains the startup configuration for your device. Renaming that to something other than "config.text" (or, if you want to do a full wipe, deleting it) will cause the switch to boot up without a startup config.

switch: rename flash:config.text flash:config.oldswitch:

Issuing the "boot" command will start the rest of the boot process. Once its up and ready, answer "no" to the initial configuration prompt.

Friday, April 16, 2010

So, there you are, with a cisco 2800 series router that you need to reconfigure. And you're all set to take some down time, reconfigure it, and drop back into service.

Only you don't have the password for it. The password is lost, or forgotten, or was typo'd initially. Something like that. Which makes any further configuration tasks kind of difficult.

Password recovery on the cisco 2800 is pretty trivial. You don't even have to do a full wipe to factory defaults, so no configuration data is lost. You need to be able to power cycle the router, so you need to have either physical access or the ability to remotely control whatever outlet is feeding your router. If you've got that, then it just takes a console connection and about 10 minutes of downtime. Non-enable exec access to the unprivileged command line interface is helpful, but not required.

First, make sure you know how to send a "break" signal with whatever you're using to connect to the console - whether directly to the console from a serial port on your computer, or via some kind of remote console server.

Make a note of that octal number. If you don't have CLI access, just assume it's 0x2102, because that's almost certainly what it is.

This is the configuration register, which tells the router important things at boot time, like "Should I load IOS? Should I load the config that's in my NVRAM?" What you need to do is tell it that, in fact, it should not load the NVRAM config on boot. This is done by modifying the config register. To do that, you need to get into "rommon" mode.

Power cycle your router, and then send the "break" sequence within the first 60 seconds of power-on.

It should display a message "System received an abort due to break key", and then a bit more text, and then the "rommon 1>" prompt. If it starts to self-decompress its IOS image, you've missed your opportunity and you'll need to power cycle the router and try sending the break sequence again.

Change the value for the configuration register with the command

confreg 0x2142

Reset the router with the "reset" command. At this point, the router should go through it's normal boot sequence, decompressing the IOS image and starting up IOS. But since it's not loading the configuration from NVRAM, it will ask you if you want to go through the initial configuration dialog, just as if it were a new router out of the box. You don't want the guided setup, so you can answer "n" to the question:

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: n

Hit return a few times to get to the "Router>" prompt, and then go into enable mode -- you will not be prompted for a password -- and then tell the router to load the "startup-config" configuration from NVRAM into running memory.

You should then see messages about interfaces coming up and other normal messages as the router processes your config information. Once it's done with that, you should have a prompt for the configured hostname of your router. At this point, you can change the passwords and enable secrets as normal, enable your live interfaces, and then save the config to NVRAM to save your changes.

Take a look at the configuration, and the interfaces, and verify that the router looks like you want it to -- that interfaces are up and happy. You don't want to be accidentally saving a config that has all your interfaces in "shutdown" mode. Since "no shut" is the default state, the config you loaded won't include the "no shut" commands explicitly. So make sure all your active interfaces are up.

Now, you need to reset the configuration register to the previous value so that the next time the router reboots, it will read the NVRAM config.

Do a "sh ver" to make sure the configuration register reads "0x2102". If you have the spare time in your downtime window and you want to be extra sure, do a clean reload on the router and make sure it comes up happily. Because nothing sucks like being locked out of a router because of something you did in an attempt to not be locked out of a router.

Sunday, April 11, 2010

The Kandinsky is painted on both sides! -- "Six Degrees of Separation"

Don't just label your gear, label it on both the front and the back. (Or the sides/top/bottom -- whatever sides people are going to be using to identify the equipment and work on it.)

This sounds kind of obvious, but I've worked in places where this seemed to be a strange new concept.

Clear labeling of your network equipment, on both the front and the back can speed troubleshooting - particularly if you've got someone doing the hands-on work who is less familiar with the setup. If you're likely to have colo staff doing remote hands work, be even more fastidious about your labeling.

Make sure that the label is visible. If your machine has a separate faceplate that needs to be removed for maintenance access, label the faceplate and label the surface under the faceplate. That way, if someone puts the wrong faceplate back on the machine, a person doing maintenance can see the mismatch.

Make sure that the label is well-secured. If it's falling off or has lost its adhesive, replace it or tape over it with clear adhesive tape to re-secure it.